Problems with Port Forwarding for RDP in WebVPN
Hi,
I'm hoping somebody can help me solve this problem that's been bugging for weeks. We recently implemented a double-layer firewall architecture. Before that, our users can access RDP via port forwarding on WebVPN or the Cisco VPN client without any problems.
After we implemented the double-layer firewall architecture, users who are going through the WebVPN and port forwarding for RDP began to experience frequent disconnections, slowness or freezing connections. The users who are using the client are fine.
I checked the logs and I'm getting repetitive TCP-O for the port forwarding connections for RDP. Additional information: the FW we installed as a 2nd layer is Netscreen. I've already set the policy on it to Any-Any for the meantime to help in troubleshooting but to no avail.
I hope somebody can help me in sorting this out as I'm kind of confused on the difference between the port-forwarding for RDP via the WebVPN and the normal RDP via the client.
Hi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni
Similar Messages
-
HELP!! asa 5505 8.4(5) problem with port forwarding-smtp
Hi I am having a big problem with port forwarding on my asa. I am trying to forward smtp through the asa to my mail server.
my mail server ip is 10.0.0.2 and my outside interface is 80.80.80.80 , the ASA is setup with pppoe (I get internet access no problem and that seems fine)
When I run a trace i get "(ACL-Drop) - flow is deied by configured rule"
below is my config file , any help would be appreciated
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISPDsl
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_SMTP
host 10.0.0.2
access-list outside_access_in extended permit tcp any object server_SMTP eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network server_SMTP
nat (inside,outside) static interface service tcp smtp smtp
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c5570d7ddffd46c528a76e515e65f366
: endHi Jennifer
I have removed that nat line as suggested but still no joy.
here is my current config
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_Mail
host 10.0.0.2
access-list outside_access_in extended permit tcp any object Server_Mail eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Server_Mail
nat (inside,outside) static interface service tcp smtp smtp
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f3bd954d1f9499595aab4f9da8c15795
: end
also here is the packet trace
and my acl
Thanks -
Problem with Port Forwarding in WRT320N
Good day.
I have a web-server and Internet-radio translator to local network of my provider. And I found a problem with Port Forwarding. I'm trying to setup 80 & 8000 ports to forward. And it's working but only for Internet, without provider's local network. My web-server isn't accessible in local network and radio-translator too.
So is it possible to forward ports absolutely - for any type of connections?
P.S. DMZ is working like Port Forwarding.If you ask questions you have to mention that you have an PPTP connection to the internet and another network directly on the internet port. Otherwise noone will really understand your question as it is a very unusual setup.
Your setup is not one really supported by the router. You are lucky that it works but don't expect too much. Port forwarding only the internet connection. If you use PPTP the network on the internet port is basically hidden. Using that local network on the internet port is not supported.
The DMZ host is the IP address to which all ports are forwarded to which are not forwarded otherwise. The same restriction applies here.
I would recommend to ask your ISP which router they recommend for their internet connection. I think most/all Linksys routers and many other brand's consumer routers won't really support a setup like yours... -
Problem with Port Forwarding (when PPTP is up) in WRT-160N
Hi, everybody!
I'm looking for some help with Port Forwarding in my new router from Linksys. I've bought the router afew daysago, and was badly surprised when I found out that there is DD-WRT firmware is installed in it (the router was 100% NEW when I've purchased it). I have downloaded the latest original Linksys firmware file and successfully flashed it.
But I still have problem (same I had on DD-WRT firmware too) with port forwarding for my DC++ and Vuze (app for torrents): I've written port forward for ports 49151 (for Vuze) and 4000 (for DC++) to be forwarded to my desktop computer (IP 192.168.1.201) -- I've seen a post at this forum, that there could be a problem, if you forward to an IP, which is inside DHCP local zone, so I've forwarded it to .201 IP (my local DHCPzone is 192.168.1.100 - .149). But forwardind doesn't work ((
What's wrong?
My configuration:
Router IP: 192.168.1.1
PPTP (I've got it from my ISP)
IP address: 192.168.226.127
Default Gateway: 192.168.226.2
DNS 1: 192.168.1.1
DNS 2 & 3: 0.0.0.0
PPTP Server IP Address: 192.168.226.2
Username: ****
Password: ****
Single Port Forwarding:
Application name External port Internal port Protocol To IP address Enabled
Vuze 49151 49151 Both 192.168.1.201 Checked
DC 4000 4000 Both 192.168.1.201 Checked
Solved!
Go to Solution.As you have mentioned in your post that your ISP has provided you a PPTP connection with an IP address: 192.x.x.x. The IP address which is provided to you by your ISP is in a Private Range, and if you try to forward any ports on your router it will not work, as your ISP modem will block that port. So you need to get a Public IP address from your ISP.
As you are getting Private IP from your ISP, so this connection is called as NAT behind NAT, and your Modem is acting like a Router.
So now you have 2 options, get the Public IP address from your ISP or change the connection type. -
Help with port forwarding for the WRT54G
I need assistance please!
I am having issues trying to setup port forwarding for a ftp. I already have set this up for a SQL Server port and it works remotely. When I setup another rule for ftp using port range 20-21 it does not work.
I have confirmed that I have saved my settings, have the correct IP address, etc. I have firmware version 4.21.1 and not sure how to troubleshoot this. Any help would be great.
Thanks,
JohnYes you do need to have the port already forwarded for port 20~21 with both TCP/IP and UDP enabled unless you know for sure your ftp only uses just one of them. That is why I asked what port your SGL was set to. Follow the link that other guy posted and open port 20 and 21 (I only use 21 with no problems) and make sure it is directed to the IP of the ftp host. Also that PC needs to have the FTP enabled in windows. To do that go to your control panel > add/remove software > and on the left side go to add/remove windows components. Then check the box for the ftp and add it. It should ask for your windows CD do have it handy when you add the ftp component to your PC.
Richard Aichner (Ikester) -
Port Forwarding for RDP 3389 is not working
Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
functions svc-enabled
svc address-pool "sat-ipsec-vpn-pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 10.0.0.0 255.0.0.0
svc split include 192.168.0.0 255.255.0.0
svc split include 172.16.0.0 255.240.0.0
svc dns-server primary 10.20.30.20
svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
endHi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
Problem with Port Forwarding - Password.
Hello,
I have a LINKSYS router, model BEFW11S4 v4 and its firmware is version 1.52.02
My problem is that neither can I do Port Forwarding nor Port Triggering, because when I make the changes I need and press "Save Changes", it asks me for the username and password again. I write them again, but this time it does not accept them.
I have tested it with 2 laptops connected to the router wired the first time and wireless other times.
What should I do?
Thank you in advance.Normally, you cannot "see your modem" in your network. This is because a modem does not have an IP address. A modem simply converts one signal (ADSL, DSL, or cable) into another signal which is an ethernet signal.
However, some devices that people call "modems" are actually "modem-routers". In this case your "modem-router" probably does have an IP address. If your system is set up correctly, you can "see" a "modem-router" that has an IP address, but it is not part of your LAN (local area network). It is on a another subnet.
The ethernet port of the modem should be wired to the "Internet" port on the BEFW11S4. Do not connect the modem to any other port on the router.
Maybe we need to back up a step or two here. I have always assumed that you were able to get a properly working wired Internet connection through your BEFW11S4. Is that correct?
What is the make and model of your modem?
Who is your ISP?
Also, when you set up your router, leave the username blank. Do not try to add a user name. Change the password to something unique. Do not use the password default "admin" (with no quotes).
Since you are still having problems, please use the following protocol to reset your router to factory defaults:
1) Power down all computers, the router, and the modem, and unplug them from the wall.
2) Disconnect all wires from the router.
3) Power up the router and allow it to fully boot (1-2 minutes).
4) Press and hold the reset button for 30 seconds, then release it, then let the router reset and reboot (2-3 minutes).
5) Power down the router.
6) Connect one computer by wire to port 1 on the router (NOT to the internet port).
7) Power up the router and allow it to fully boot (1-2 minutes).
8) Power up the computer (if the computer has a wireless card, make sure it is off).
9) Try to ping the router. To do this, click the "Start" button > All Programs > Accessories > Command Prompt. A black DOS box will appear. Enter the following: "ping 192.168.1.1" (no quotes), and hit the Enter key. You will see 3 or 4 lines that start either with "Reply from ... " or "Request timed out." If you see "Reply from ...", your computer has found your router.
10) Open your browser and point it to 192.168.1.1. This will take you to your router's login page. Leave the user name blank, and in the password field, enter "admin" (with no quotes). This will take you to your router setup page. Note the version number of your firmware (usually listed near upper right corner of screen). Exit your browser.
If you get this far without problems, try the setup disk (or setup the router manually, if you prefer), and see if you can get your router setup and working.
If you cannot get "Reply from ..." in step 9 above, your router is dead.
If you get a reply in step 9, but cannot complete step 10, then either your router is dead or the firmware is corrupt. In this case, use the Linksys tftp.exe program to try to reload your router with the latest firmware. After reloading the firmware, repeat the above procedure starting with step 1.
If you have problems, report back the results of steps 9 and 10. Also, if you get any error messages, copy them exactly and report back.
Message Edited by toomanydonuts on 04-14-200705:19 PM -
How can I setup port forwarding for RDP (3389) using MHS291LVW?
Hi,
I went into my MHS291LVW and I enabled port forwarding. I didn't see an option for Remote Desktop (RDP) so I added a custom application called RDP and I set "Global Port" and "Private Port" to port number 3389 and I set it as TCP/UDP and then entered the local IP (192.168.1.135) of the PC I want to connect to. I made my local PC use a static IP so this 192.168.1.135 will never change.
Then when I go under "About Jetpack" I see that there is a WAN IP address listed; so I wrote this down and then I tried to connect remotely to this PC from outside the Verizon Jetpack network but it didn't work.
Then the strange thing is when I go to Google and type "what's my IP", Google shows me a different external WAN IP address that Verizon Jetpack showed me in the admin web interface. Anyway, I tried this WAN IP address that Google gave me but it still didn't connect to my local PC.
Can someone please help me in figuring out why this is not working?
I've setup port forwarding on plenty of other routers (Linksys, Netgear, etc.), but I never tried it on a Verizon Jetpack MHS291LVW but it should work the same so I'm not sure why this is not working for me.
Thank you!> If I can't use the "Microsoft Windows RDP" service because of the private IP; would I be able to use a software like "TeamViewer" to gain access to my PC?
Yes. This is how a VPN server works around the private IP address restrictions of the VZW network. It will work and you will be able to access anything that is centrally connected to a VPN server.
> Also, if I were to take the VPN option and setup a VPN server on the PC
Not on the remote PC silly guy. Hosting a VPN from within the VZW network wont do you any good as its IP will be masked by the NAT firewall. You must setup a VPN server off of the VZW network for it to work. That way when you remote into the VPN server it is already outside of the VZW NAT that is restricting you in the first place. There are many VPN vendors that you can test out and pay access for if you don't have any interest in setting up one on your own. Some are free where others charge more money for more bandwidth and customization features.
> If I were to try to connect to this PC on the JetPack side from an external PC on a different network I don't know how I would be able to access it since the JetPack IP address is private.
The idea is that everything rests on the VPN server when remote connections are made. The Jetpack PC, VPN Server and your current local PC all connect to the VPN server so everything is then local communication. The VPN will make it appear as though everything is virtually connected to the same appliance even though they are physically separated by whatever distance you want. -
Wrt400n has problems with port forwarding
I have forwarded port 80 on my router and used a port forwarding tool to check to see if the port is open. I select both and it tells me the UDP is open, but not the TCP. Any idea why?? Thanks so much. I have also used the same tool to check ports 3074, 88 and 53. These ports are required for Xbox Live and I'm having an issue connecting. it connect to the internet fine, but it appears this port may be the problem. Please advise.
Who is your ISP..?
Port no 80 is by default on the router.You do not have to open the port 80.For x-box open the port 53 and 3074.Also,under the Administration tab,disable the UPnP and Uncheck Filter Filter Anonymous Internet Requests under Security tab...Reduce the MTU value to 1365 under the setup tab.It should work now..Make sure while doing the port forwarding,you are providing the correct ip address on the router as well on the X-Box.
However,if your ISP is DSL then,convert the modem into the bridge mode to make your x-box working. -
New Customer Experience with Port Forwarding
OK, so my OpenReach Modem and HomeHub 3 were installed last week and all seemed OK at first.
A bit of background:
I'm a seasoned IT guy and have a nice network set up at home that caters for my needs (most of the time).
Without going into too much detail, I have my own DHCP/DNS server and I run a Webserver for personal use.
I have Virgin Broadband - which work most of the time.
I've also just had BT Infinity installed so I should always have Internet access no matter which ISP is having issues.
I was hoping to be able to access my webserver externally from either my BT or Virgin. I didn't think this would be an issue.
It still all works fine through my Virgin connection. I use dynamic DNS (no-ip.org) to get to my server.
On the Virgin Superhub - I have DHCP switched off and all my machines (except one at the moment) get the Virgin router assigned as the Internet gateway (via my own DHCP server).
My test machine gets a the BT HomeHub 3 assigned as the Internet gateway (also from my own DHCP server) and I have switched off DHCP on Home Hub.
Before I move onto my issue, I have to say that the above network setup works flawlessly.
The Virgin Router is on 192.168.0.1, The Home Hub is on 192.168.0.2. (subnet 255.255.255.0)
They are on the same network but because DHCP it switched off on both routers - everything is happy.
I can access my Server from the Internet via my no-ip.org address and it all works great.
The issue:
I thought it would be relatively simple to configure the BT Home Hub 3 to access my server from the Internet.
Hmmm. Port Forwarding seems to be the issue. It just doesn't work reliably enough. Sometimes it works, then sometime it stops working. Right now it's not working.
At first I though it was just me, not configuring it correctly. But no.
Then I started reading this forum and found there are reports of issues with port forwarding going back a year.
I don't know if that a good or bad thing - an issue running that long must be on the verge of getting fixed right?
Or any issue running that long without resolution probably has no simple resolution or just isn't a priority (for BT) maybe.
My Question:
(and I think I already know the answer)
Has anyone got a sure fire way of configuring the HomeHub3 so the port forwarding works?
Or should I just throw in the towel now and buy a Dual Wan Router?
One last note:
This morning my Infinity Broadband Speed dropped from
38Mb down/6Mb Up (measured several times yesterday)
to
0.7Mb down/0.3Mb Up (yes those decimal points are in the right place)
And I haven't got a clue why.
I power cycled the HomeHub and it returned to normal. Does this happen to other people?
Cheers
Graeme.
GraemeBullitt wrote:
the port on your network is defined by lan ip address and port number eg 192.168.1.10:80
you cannot forward this outbound port twice
There is no "port on my network" A port is associated with a IP address not a network.
My webserver listens an port 80 - requests from the Internet for http are port forwarded by the router (either BT Homehub or Virgin Superhub) to port 80 at address 192.168.0.5 (in my case).
If I am trying to access my webserver from the Internet, I point my browser at the WAN IP address of my router (again it doesn't matter which one - BT or Virgin) and the router port forwards the request to my Webserver. Each router can do this independently.
"you cannot forward this outbound port twice"
As explained above - It's an inbound port not an outbound port.
I appreciate you are trying to be helpful but just telling me something is not possible without explaining why its not possible doesn't really help me.
As I said before, this was working fine, then it stopped working but only when trying to access my webserver via the BT Router. It still works fine from my Virgin Router. I used WireShark and port mirroring on my switch to prove that the Home Hub as stopped port forwarding inbound traffic to my webserver.
This is a problem with port forwarding on the Homehub, not my network setup. Looking at other posts on this forum - I'd suggest I'm not the only one having problems.
To be honest, it's the least of my problems with the HomeHub right now. I'm far more concerned with the fact that twice today I've had to power cycle it because the throughput has dropped from 38Mbit-down/6Mbit-up to <1Mbit-down/<1Mbit-up. It's a known problem, BT are working on it, yet I still am paying full price for a product that should never had made it out of Beta test.
Graeme -
Problem with call forwarding. Calls can not be forwarded for incoming external calls
Hi Everybody, how are you?
I have a problem with call forwarding. Everything was fine but now is not working.
In the reception of an office, the receptionist activate the call forward option to an internal extension. If somebody, internal in the office, call to the reception, the call is forwarding to the extension configured. But if I call from the outside (in example, from my cellphone) the call is not forwarded to the extension configured and continue ringing in the reception phone. Why this behavior? Any idea?
If you know something please tell me.
Thanks. Best regards.
Andres Collazos.I encounter a similar problem with 9.1.1.
My problem is link to this bug ID : CSCtq10477.
Mathieu -
Port forwarding for clientless SSL VPN access
Hello,
I am currently trying to set up clientless SSL VPN access for some remote sites that our company does business with. Since their machines are not owned by my company, we don't want to install/support a VPN client. Therefore, SSL is a great option.
However, I'm running into an issue. I'm trying to set up port forwarding for a few remote servers. These remote servers are different and have distinct IP addresses. They are attempting to connect with two different servers here.
But my issue is that both servers are trying to use the same TCP port. The ASDM is not letting me use two different port forwarding rules for the same TCP port. The rules can exist side-by-side, but they cannot be used at the same time.
Why? It's not trying to access the same TCP port on a server when it's already in use. Is there anyway I can get around this?
If this doesn't make sense, please let me know and I'll do my best to explain it better.Hi Caleb,
if you mean clientless webvpn port-forwarding lists, then you should be able to get your requirments. even the same port of the same server can be mapped to different ports bound to the loopback IP.
CLI:
ciscoasa(config) webvpn
ciscoasa(config-webvpn)# port-forward PF 2323 192.168.1.100 23
ciscoasa(config-webvpn)# port-forward PF 2300 192.168.1.200 23
then you apply the port-forwarder list under a group-policy
Hope this helps
Mashal
Mashal Alshboul -
How do you set up Port Forwarding for ARD 2.2 in AEB N?
Help,
I'm a novice at Apple Remote Desktop (ARD) - not an IT guy, so it has to be pretty basic and detailed.
How do you set up Port Forwarding for ARD 2.2 on the Apple Airport Extreme BS router, 802.11 N. I have one at each end of the internet connection. At one end I have an Airport Extreme N router with 2 macs and eventually 1 windows XP machine (if I can) that I would like to be able to connect to over the interenet (the clients) and at the other end, I have a Mac with ARD 2.2 installed also with an Airport Extreme N router. Note: Both routers use Static IP addresses and all computers use static IP's internally not through DHCP. What are the settings or directions to do this.
I have read and printed out the directions for Configuration of ARD 3.0 that are posted many times in the ARD discusion group, but it uses a Linksys router ( http://www.starkpr.com/ard.htm posted by Dave Sawyer). The Mac router is different, particularly with the place to set a Private IP address. I'm not sure about alot of things, but especially about the Private IP address, what number do I set it to, the one that is in my Network connections list? It automatically changes to a different number in AE N setup for Port Forwarding (by one) as if it is not suppose to the same?????
Are there any directions available that are as straight forward for the Airport Extreme N router, as the one's that are listed here for the Linksys Router's? ( http://www.starkpr.com/ard.htm )
Any and All help will be greatly appreciated.
P.S. I know I should have 3.0 but bought 2.2 just weeks before 3.0 came out and they would not give me an upgrade price, so I'm waiting for 4.0 to upgrade.
Thanks,
JimTry the following for each AirPort Extreme ...
AEBSn - Port Mapping Setup
To setup port mapping on an 802.11n AirPort Extreme Base Station (AEBSn), either connect to the AEBSn's wireless network or temporarily connect directly, using an Ethernet cable, to one of the LAN port of the AEBSn, and then use the AirPort Utility, in Manual Setup, to make these settings:
1. Reserve a DHCP-provided IP address for the host device.
Internet > DHCP tab
o On the DHCP tab, click the "+" (Add) button to enter DHCP Reservations.
o Description: <enter the desired description of the host device>
o Reserve address by: MAC Address
o Click Continue.
o MAC Address: <enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the host computer>
o IPv4 Address: <enter the desired IP address>
o Click Done.
2. Setup Port Mapping on the AEBSn.
Advanced > Port Mapping tab
o Click the "+" (Add) button
o Service: <choose the appropriate service from the Service pop-up menu>
o Public UDP Port(s): 3283
o Public TCP Port(s): 3283
o Private IP Address: <enter the IP address of the host server>
o Private UDP Port(s): 3283
o Private TCP Port(s): 3283
o Click "Continue"
o Click the "+" (Add) button
o Service: <choose the appropriate service from the Service pop-up menu>
o Public UDP Port(s):
o Public TCP Port(s): 5900
o Private IP Address: <enter the IP address of the host server>
o Private UDP Port(s):
o Private TCP Port(s): 5900
o Click "Continue"
o Click the "+" (Add) button
o Service: <choose the appropriate service from the Service pop-up menu>
o Public UDP Port(s):
o Public TCP Port(s): 5988
o Private IP Address: <enter the IP address of the host server>
o Private UDP Port(s):
o Private TCP Port(s): 5988
o Click "Continue"
(ref: "Well Known" TCP and UDP ports used by Apple software products) -
Port forwarding for Warcraft 3 - no other posts have helped me solve this :
Hi everyone,
At risk of flogging a dead horse, I am having trouble with port forwarding/port mapping on my new AEBS and need help.
Warcraft 3 requires ports 6112-6119 open, which I had successfully set up through the Router Management Interface of my router (Speedstream 536 v6). Since I've set up the airport and run the router through it, I've been unable to host/join games on Warcraft, due to ports not being open.
I've since gone back in to the router setup and attempted to configure it. I've tried sending the open port traffic to the base station, to the computer, and a combination of each, but nothing seems to fix it.
Aside from port forwarding, it is working fine. My internet connection is flawless (a little slower than before airport ... or perhaps my imagination?), my Wii and XBOX360 both find the network fine (360 hard wired over ethernet due to wireless security issues ... see other threads!), but I can't play my warcraft games.
The help system (and some of the other threads on here) direct me to the Airport Utility -> Advanced -> Port Mapping. The problem is that on my advanced pane I only see:
- Logging and SNMP
- Bonjour
- IPv6
I've tried restarting the AEBS but get no joy. Is there something I'm doing that is fundamentally wrong? Can anyone help me? I'm not sharing the connection with any other computers, just wii and xbox, if that makes any difference.
If there's anything else you'd need to know, please ask me.
I look forward to your responses, and any help is most appreciated.
Regards,
GHThe IP address of my iMac is 10.0.0.1; the address of the Speedtouch is 10.0.0.138; the AEBS is 10.0.0.2, and the xbox360 (which the speedtouch sees as "Generic device") is 10.0.0.4.
On the speedtouch setup page, there's a lot of long-winded gibberish which I don't really understand, but perhaps it'll be of some use to someone more knowledgable on the topic. Each device has the following information:
iMac (which it lists as Unknown-00-11-24-bb-ef-96):
Information
Status: Active
Type: Generic Device
Connected To: ethport1 (Ethernet)
Addressing
Physical Address: 00:11:24:bb:ef:96
IP Address Assignment: DHCP
IP Address: 10.0.0.1
Always use the same address: No
DHCP Lease Time: 0 days, 16:34:40
Connection Sharing
Game or Service
War3
Warcraft III
(This is what I had named the settings which opened ports 6112-6119 on TCP and UDP respectively. As stated, it worked fine before the airport came along, and I've since tried removing and reinstating with no success).
Airport-Extreme
Information
Status: Active
Type: Generic Device
Connected To: ethport1 (Ethernet)
Addressing
Physical Address: 00:16:cb:c2:c3:2c
IP Address Assignment: DHCP
IP Address: 10.0.0.2
Always use the same address: No
DHCP Lease Time: 0 days, 16:38:05
Connection Sharing
There is no game or service assigned to this device.
Xbox360
Unknown-00-17-ab-4f-fa-a6
Information
Status: Active
Type: Generic Device
Connected To: ethport1 (Ethernet)
Addressing
Physical Address: 00:17:ab:4f:fa:a6
IP Address Assignment: DHCP
IP Address: 10.0.0.4
Always use the same address: No
DHCP Lease Time: 0 days, 16:31:45
Connection Sharing
There is no game or service assigned to this device.
Does any of this help at all? -
I've got a NAS setup with various services running on custom ports to help minimize exposure (especially to script kiddies). I've tested everything both internally and externally to confirm they all work, and even had someone at a remote location confirm accessibility as well. Port forward configurations performed on the Actiontec are working well.
I installed an L2TP/IPSec VPN server, tested internally and it connected successfully. So for all intents & purposes, this validates that the VPN server is correctly configured to accept inbound connections and functioning correctly.
I logged into the Verizon Actiontec MI424WR router, setup port forwarding for UDP ports 500, 1701 & 4500.
Note: I added the AH & ESP protocols based on what I saw on the built-in L2TP/IPSec rules
With the port forwarding in place, I tested VPN externally but it didn't connect.
I've done the following so far to no avail:
Double & triple checked the port forwards, deleted & recreated the rules a few times to be sure
There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500)
There was an L2TP port triggering rule enabled, that I toggled on and off with no change
Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. (Firewall is off to reduce a layer of complexity, but it worked internally to begin with so I doubt that's the issue.)
Since it works internally, and there are no entries in the logs on the device indicating inbound connections, I'm convinced its an issue with the Verizon Actiontec router. But unfortunately, I'm not sure what else to try or where else to look to troubleshoot this. For instance, is there a log on the router that I can view in real time (e.g.: tail) that would show me whether or not the inbound connection attempt is reaching the device, and whether or not the device allowed or blocked it?
My router details:
Verizon Actiontec
MI424WR-GEN2
Revision E
Firmware 20.21.0.2
Verizon Actiontec built-in L2TP/IPSec rule templates. They're not currently in use, but are baked into the firmware for easy configuration/selection from a drop down menu.
Solved!
Go to Solution.normally a vpn on that router, will have a GRE tunneling protocol as well.
two ways to build the PF rules,
Manually
Preconfigured
I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it.
Maybe you are looking for
-
Binded variables change value of modbus PLC variable when application starts
Hello, I have a front panel with controls binded to some shared variables that use a modbus server to control a PLC. There is no logic behind that front panel, all I want to do is to be able to read/write some variables on the PLC. I binded the contr
-
Pop up box with Ok and Cancel choices, not working. Please Help.
Hello! I am trying to create a pop up box that allows users to choose Ok and Cancel (i'm just testing with Ok and Cancel for now). For some reason when I run it a CMD line pops up and closes very quickly, but i do not get errors. Here is my code:
-
What can I do to get my Email both personal and Spam?
3rd time, mail has stopped appearing in my mailbox, someone tell me how to correct this myself
-
Yearly recurring meeting created on iPhone breakes iCal sync with exchange
I encounter a reproducable bug with Snow Leopard 10.6.1's iCal stopping sync with Exchange 2007 SP1 (Update Rollup 7), as soon a i create a yearly recurring meeting on iPhone 3GS connected to same Exchange Server via Active Sync. After creating this
-
Unable to use complex libraries in 64bits?
hello all, i have this short program: #include <complex.h> int main() complex z(1,2), zz(3, 4); complex zzz = z + zz; }calypso-henry% CC -compat -m32 -o comp1 comp1.C -I/opt/SUNWspro/include -L/opt/SUNWspro/lib -lcomplex -lm but calyp